安全缺陷

与安全弱点和漏洞相关的缺陷

这些缺陷会突出显示代码中容易受到黑客攻击或其他安全攻击的地方。其中有很多不会导致运行时错误，但指出了代码中存在风险的区域。这些缺陷包括：

管理敏感数据
使用危险或过时的函数
生成随机数
从外部控制的路径和命令

Polyspace 结果

文件访问

`在检查时间和使用时间之间(TOCTOU)进行文件访问`	File or folder might change state due to access race
`向子进程暴露文件描述符`	Copied file descriptor used in multiple processes
`执行 chroot 之后未调用 chdir 即进行文件操作`	Path-related vulnerabilities for file manipulated after call to `chroot`
`对设备文件进行不当的 I/O 操作`	Operation can result in security vulnerabilities or a system failure
`对系统函数的调用不安全。`	Unsanitized command argument has exploitable vulnerabilities
`使用不安全的临时文件`	Temporary generated file name not secure
`易受攻击的路径操作`	Path argument with `/../`, `/abs/path/`, or other unsecure elements

特权

`丢弃特权的顺序错误`	Dropped higher elevated privileges before dropping lower elevated privileges
`特权丢弃未经验证`	Attacker can gain unintended elevated access to program
`Umask 与 chmod-style 参量一起使用`	Argument to `umask` allows external user too much control
`易受攻击的权限分配`	Argument gives read/write/search permissions to external users

标准函数

`不安全的标准加密函数`	Function is not reentrant or uses a risky encryption algorithm
`不安全的标准函数`	Function unsafe for security-related purposes
`使用危险标准函数`	Dangerous functions cause possible buffer overflow in destination buffer
`使用过时的标准函数`	Obsolete routines can cause security vulnerabilities and portability issues

数据库查询函数

`LDAP 注入`	Data read from an untrusted source is used in the construction of an LDAP query (自 R2023a 起)
`SQL 注入`	Data read from an untrusted source is used in the construction of an SQL query (自 R2023a 起)

随机数生成

`从常量种子得出的确定性随机输出`	Seeding routine uses a constant seed making the output deterministic
`从可预测种子得出的可预测随机输出`	Seeding routine uses a predictable seed making the output predictable
`易受攻击的伪随机数生成器`	Using a cryptographically weak pseudo-random number generator

其他

`关键数据成员不是私有类`	A critical data member is declared `public` (自 R2022a 起)
`未检查 errno`	`errno` is not checked for error conditions following function call
`从相对路径执行二进制文件可以被外部执行者所控制`	Command with relative path is vulnerable to malicious attack
`分配有绝对地址的函数指针`	Constant expression is used as function address is vulnerable to code injection
`敏感数据被硬编码`	Sensitive data is exposed in code, for instance as string literals
`网络连接操作顺序不正确`	Socket is not correctly established due to bad order of connection steps or missing steps
`结构体填充可能导致信息泄漏`	Padding bytes can contain sensitive information
`从相对路径加载库可以被外部执行者所控制`	Library loaded with relative path is vulnerable to malicious attacks
`数据长度和大小不匹配`	Data size argument is not computed from actual data length
`切换条件缺少 case`	`switch` variable not covered by cases and default case is missing
`误用 readlink()`	Third argument of `readlink` does not leave space for null terminator in buffer
`存储在文件系统中的纯文本密码`	Password stored in files in plain text format (自 R2023b 起)
`资源注入`	Data input is not properly restricted before being used as a resource identifier (自 R2024a 起)
`未检查敏感函数的返回值`	Sensitive functions called without checking for unexpected return values and errors
`敏感数据被打印输出`	Function prints sensitive data
`释放前未清除敏感堆内存`	Sensitive data not cleared or released by memory routine
`不确定的内存清理`	The code clears information that might be sensitive from memory but compiler optimization might leave the information untouched (自 R2022a 起)
`堆栈中存在未清除的敏感数据`	Variable in stack is not cleared and contains sensitive data

主题

Bug Finder 缺陷组
Bug Finder 的缺陷检查项分为数据流、并发、数值等分组。